I have a legacy 1.9 Moodle which is open for demo purposes. It will stay as 1.9 for the time being as an upgrade is too much work for now.

I have 'Captcha' enabled for account creation but in spite of this some random accounts are being created (by a bot?) and all using the address victorblancha45@gmail.com . They accounts are not being used for activities and I delete them almost daily now.

How about just letting the account get created and then disabling the account? I believe Moodle will only allow one account to be associated with an email address, subsequent attempts to create new Moodle accounts using the same email address should not work.

I have a Moodle 2.2 with captcha enabled for email-based self-registration and still get spam accounts created every couple of hours on average. I disable the accounts when I find them, most every day. So this costs the spammers a captcha attempt that somebody would have had to do, but it seems there are no shortage of people somewhere to pass the captcha test. At this point I assume that my captcha test is being repurposed by a spammer to have people falsely believe they may be unsubscribing from getting junk emails.

Thanks Rick, I have already voted for and am watching the issue since earlier this year. This would be a welcome enhancement to the user filter advanced settings.

From my comment in the "Spammers Using Self Registration" thread, I may have another idea to prevent spam accounts (copy & pasted from there):

The bogus account profiles are fairly easy to filter / suspend / delete as the country is random and our users are all within Canada. In the Location settings our Default country is therefore set to Canada. Considering this further it seems that on initial account signup page, JavaScript is used to automatically populate the Country profile field with the Default country. Extending this even further, the bogus accounts would seem to indicate that the bots are not JavaScript enabled. Could there be a browser JavaScript capability check done on the signup.php page before allowing any form data to be submitted? My idea is to have an additional setting in Site Administration > Plugins > Authentication > Email-based self-registration. I would like to see a checkbox for "Require JavaScript for Creating New Accounts" (default unchecked). Could the spam solution be so simple that it only requires the client to be JavaScript enabled? Might there be other mitigating factors such as accessibility, or any confusion caused by mobile or tablet themes?

I think others have suggested something along the same lines of your suggestions. I like to keep the country set to United States, to make it easier for my students. The spammers on my system have email accounts from aol.com, and hotmail.com. But so do some of my valid users.

All these spammers don't make it into any course, which is why I want to filter on this condition. Ideally, I would prefer a filter that states "Delete users not in any course after xx days."

I agree with the filter (and have voted for it) until such time have you looked at geoblocking?

Not sure if it would suit your situation but having just cleared out 1000+ spammers yesterday then 100 new today we've just blocked anyone from outside our country from accessing our site.

To do so, rather than using the inbuilt IP blocker we went with using the .htaccess file (less hassle I believe). Now we'll just have to worry about the IP list becoming outdated and blocking legit signups